An additional fix for the openssl Weak DH remediation:

The import of openssl to address the FreeBSD-SA-15:10.openssl security advisory includes a change which rejects handshakes with DH parameters below 768 bits. sendmail releases prior to 8.15.2 (not yet released), defaulted to a 512 bit DH parameter setting for client connections. The first fix committed last week changed the default to 1024 bits. This commit fixes the case where the DHParameters option is set to a file which doesn't exist, which is the case on newer versions of FreeBSD which enable STARTTLS by default by auto-creating TLS certificates. MFC after: 2 days
svn path=/head/; revision=284717
2024-10-19 02:29:40 +00:00 · 2015-06-23 04:33:54 +00:00 · 2015-06-23 04:33:54 +00:00 · 3df48792f2 · 2020-12-20 02:59:44 +00:00
commit 3df48792f2
parent 90e528f838
1 changed files with 1 additions and 1 deletions
--- a/contrib/sendmail/src/sendmail.h
+++ b/contrib/sendmail/src/sendmail.h
@ -1935,7 +1935,7 @@ struct termescape

 /* server requirements */
 #define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
 			 TLS_I_CACHE)

 /* client requirements */